How is CVE-2026-40748 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS traffic. Authentication (required): A low-privilege account (subscriber level or equivalent) is sufficient; no administrative credentials are needed to trigger the file upload. Victim interaction (not-required): The attacker does not need to trick any user into taking an action; the upload can be performed directly against the application. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental dependencies to succeed.

What is the impact of CVE-2026-40748?

Attacker uploads and executes arbitrary server-side code, gaining a remote shell on the hosting container or server. With a scope-changed (S:C) rating, a successful attacker reads all files and environment variables accessible to the web server process, including database credentials and API keys stored in WordPress configuration files. Attacker modifies or deletes theme files, plugins, database content, and any other assets writable by the web server process. Attacker crashes or renders the WordPress application unavailable by overwriting critical files or exhausting server resources through uploaded payloads.

Back to search

CRITICALCVE-2026-40748Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40748: WordPress Kids Gift Shop theme <= 0.5.4 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-40748?

An arbitrary file upload vulnerability exists in the Kids Gift Shop WordPress theme, versions 0.5.4 and earlier. The flaw is reachable over the network and requires only a low-privilege subscriber-level account, making it accessible to any registered user on the affected site. Successful exploitation allows an attacker to upload and execute arbitrary files on the server, enabling full remote code execution with the potential for complete confidentiality, integrity, and availability impact across the hosting environment. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-40748 patched?

Because no fix version has been published for the Kids Gift Shop theme, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention as soon as a patch is available.

Subscriber Arbitrary File Upload in Kids Gift Shop <= 0.5.4 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability exists in the Kids Gift Shop WordPress theme, versions 0.5.4 and earlier. The flaw is reachable over the network and requires only a low-privilege subscriber-level account, making it accessible to any registered user on the affected site. Successful exploitation allows an attacker to upload and execute arbitrary files on the server, enabling full remote code execution with the potential for complete confidentiality, integrity, and availability impact across the hosting environment. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-40748 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in registries and CI/CD pipelines. This matching covers custom-built images that bundle the Kids Gift Shop theme, not only images pulled directly from public sources.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.9 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on their configured notification rules.

Available

Patch

Because no fix version has been published for the Kids Gift Shop theme, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention as soon as a patch is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS traffic.
AuthenticationRequired
A low-privilege account (subscriber level or equivalent) is sufficient; no administrative credentials are needed to trigger the file upload.
Victim interactionNot required
The attacker does not need to trick any user into taking an action; the upload can be performed directly against the application.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental dependencies to succeed.

Blast Radius

Attacker uploads and executes arbitrary server-side code, gaining a remote shell on the hosting container or server.
With a scope-changed (S:C) rating, a successful attacker reads all files and environment variables accessible to the web server process, including database credentials and API keys stored in WordPress configuration files.
Attacker modifies or deletes theme files, plugins, database content, and any other assets writable by the web server process.
Attacker crashes or renders the WordPress application unavailable by overwriting critical files or exhausting server resources through uploaded payloads.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for Kids Gift Shop <= 0.5.4, the advisory is re-evaluated on every ingest cycle so a patched rebuild can be made available the moment themagnifico52 publishes a remediated version. In the interim, customers are advised to consider compensating controls such as network-policy rules that restrict unauthenticated and subscriber-level upload endpoints, egress filtering to limit outbound connections from the web server process, and disabling subscriber registration on affected WordPress sites where it is not operationally required. For customers with auto-remediation enabled, once an upstream fix is confirmed, HarborGuard will initiate a rebuilt image, run regression tests, and open a PR against affected workloads without requiring manual intervention.

See how HarborGuard automates this

Affected packages

themagnifico52 / Kids Gift Shop
≤ 0.5.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified